Secure Capacity Region for Erasure Broadcast Channels with Feedback 



o 
O 



Laszlo Czap Vinod M. Prabhakaran Suhas Diggavi Christina Fragouli 

EPFL, TIFR, UCLA and EPFL 



Abstract. We formulate and study a cryptographic problem relevant to wireless: a sender, Alice, wants to transmit 
private messages to two receivers. Bob and Calvin, using unreliable wireless broadcast transmissions and short pub- 
lic feedback from Bob and Calvin. We ask, at what rates can we broadcast the private messages if we also provide 
(information-theoretic) unconditional security guarantees that Bob and Calvin do not learn each-other's message? We 
characterize the largest transmission rates to the two receivers, for any protocol that provides unconditional security 
guarantees. We design a protocol that operates at any rate-pair within the above region, uses very simple interactions 
and operations, and is robust to misbehaving users. 

O • 1 Introduction 

Wireless bandwidth is scarce - to efficiently use it, we need to mix private messages intended for different users 
- and this makes securing such channels hard. Consider the situation where a wireless access point, Alice, 
wants to send private messages to two receivers, Bob and Calvin. To do so, Alice can only use the wireless 
^ . channel, where each packet transmission is broadcast and subject to errors. A simple strategy is for Alice to 
keep retransmitting each packet until it is acknowledged by the intended receiver. But as Alice repeatedly 
broadcasts a packet intended for Bob, Calvin may overhear it. In fact, recent work has established that Calvin 
should try to overhear the packets intended for Bob, while Alice should code across the private packets she 
lyj ', has for Calvin and Bob, as this can significantly increase the communication rates both receivers experience 
II1I2I3I4I5J . Fig. [T] illustrates such an example. In the wireless community, the need for bandwidth efficiency 
is acutely perceived, and there is significant effort in developing and deploying such schemes that rely on 
opportunistic overhearing and mixing of private messages II6I7I8L However, the gain in efficiency seems to 
y—i come with a security compromise, since Bob and Calvin learn parts of each other's message. This leads us to 
^ ask a new question. 

Question: In a wireless broadcasting setting can we characterize the optimal unconditional (information- 
5 . theoretic) secure transmission rates for conveying private messages to Bob and Calvin? 

y—{ \ In this paper we answer this question when Alice can use a broadcast erasure channel, while Bob and 

^ ■ Calvin can send (public, reliable, and authenticated) packet acknowledgments. That is, each transmission of 
J> Alice is either perfectly received or completely lost by Bob and Calvin independently from each other, and 
^ [ they can causally acknowledge this fact. Channels that perfectly erase packets do not exist in nature; even if 
' a packet is corrupted by noise it would still be possible to extract some information from it. However, recent 
. 5^ experimental results on wireless testbeds show that one can create almost perfect erasures through careful 
insertion of interference and appropriate coding 1191 101 . This mechanism also enables erasure channels with 
known erasure probabilities. Furthermore, the results for erasure channels can serve as building blocks for 
noisy wireless channels II11I12I13II . 

If we do not insist on information theoretic security guarantees, there exist today methods to answer this 
question; our work as far as we know is the first to examine whether it is possible to provide unconditional 
guarantees and at what rates. 

Our contributions: We propose a low-complexity two-phase protocol, which first efficiently generates secure 
keys and then judiciously uses them for encryption exploiting the wireless broadcast properties. We prove our 
protocol is optimal by showing a matching impossibility result: we show that no other scheme can achieve 



' To formalize this question we need to specify (i) what is a good model for the noisy broadcast channel? (ii) what kind of feedback 
is feasible? (iii) what is the notion of security that we seek? (iv) what is the power of the adversary? (v) what is the measure of 



transmission efficiency? We formally discuss these aspects in Section[2] 
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Fig. 1. An example where mixing private messages increases the transmission efficiency. Alice wants to send 
packet B to Bob and C to Calvin; symbol X indicates that a transmitted packet is not successfully received 
due to corruption by the channel. Alice first broadcasts message B; Calvin successfully receives it, while Bob 
fails to do so. Next, Alice transmits message C; Bob successfully receives it, while Calvin fails. Alice can take 
advantage of this side information Bob and Calvin have, and transmit the message B+C. This transmission is 
maximally useful for both receivers: assume both receive it. Bob, since he knows C, he can retrieve B, and 
Calvin, since he knows B, he can retrieve C. Thus the protocol concludes in three transmissions. In contrast, 
if we did not use coding across the private messages, we would need at least four transmissions, yielding 33% 
reduction in efficiency. 

better secure private transmission rates to Bob and Calvin. To the best of our knowledge, this is the first result 
on information-theoretic security where the optimal strategy has a natural need for a two-phase protocol for 
secure message transmission. Our impossibility result also introduces new information-theoretic techniques 
that utilize a balance between generated and consumed keys, although the bounds are true for any valid security 
protocol which does not constrain it to be a two-phase scheme. 

Our protocol is based on the following ideas. First, Alice-Bob and Alice-Calvin may create unconditionally 
secure pairwise secret keys Kb and Kc respectively, using a fundamental observation of Maurer |[T4ll : different 
receivers have different looks on the transmitted signals, and we can build on these differences with the help 
of feedback to create secret keys |9 10 1. For example, if Alice transmits random packets through independent 
erasure channels with erasure probability 0.5, there would be a good fraction of them (approximately 25%) 
that only Bob receives, and we can transform this common randomness between Alice and Bob to a key Kb 
usmg privacy amplificatiorl II14I9I10I15L A novel aspect of our protocol is that the secure keys for both Bob 
and Calvin are generated simultaneously using the same sequence of transmissions by Alice, thus optimally 
utilizing wireless broadcasting. 

A naive approach is to generate the secret keys Kb, Kq with the same size as the respective private mes- 
sages and use them as one-time pads. This is too pessimistic in our case: Calvin is only going to receive a 
fraction of the packets intended for Bob and thus we only need to create an amount of key that allows us to 
protect against this fraction. To build on this observation, feedback is useful; knowing which packets Bob has 
successfully received (or not), allows us to decide what to transmit next, so that we preserve as much secrecy 
from Calvin as possible; and symmetrically for Calvin. In the second phase of our protocol, we combine these 
ideas with a network coding strategy 1 161171111 that makes transmissions maximally useful to both Bob and 
Calvin. Fig.|2]shows the benefits of our approach (which achieves the secret message capacity) compared to the 
naive scheme. 

Our protocol does not rely on both users operating honestly: even if we assume that Calvin misbehaves, for 
example by sending fake acknowledgments (see Section H]), we can still provide the same security guarantees 
and operational rate to the correctly behaving Bob. 

Related work: Secure transmission of messages using noisy channel properties was pioneered by Wyner ifTSl . 
who characterized the secret message capacity of wiretap channels. This led to a long sequence of research 
on information-theoretic security on various generalizations of the wiretap channel HI 91201 . Notably, when the 
eavesdropper and legitimate channel are statistically identical, then the wiretap framework yields no security. 



~ In fact this can be done using linear combinations of the received packets, thereby allowing for a complexity that is polynomial in 
the number of transmitted packets |9'151. 



The fact that feedback can give security even in this case was first observed for secret key agreement by Maurer 
||T4]| and further developed by Ahlswede-Csiszar 1211 - but secure key agreement is not the same as secure 
transmission of specific messages. The wiretap channel with secure feedback and its variants for message 
security have been studied in I22I23I ; some conclusive results are developed in special cases when there is a 
secure feedback inaccessible to the eavesdropper. Security of private message broadcasting without feedback 
has been studied in Il24l . where some conclusive results have been established. As mentioned earlier, the use 
of feedback and broadcast for private message transmission, without security requirements has been studied 
in II2I3II . We believe that ours are the first conclusive results that use insecure (and very limited) feedback for 
information-theoretic security of multiple private messages. We use linear code constructions that superficially 
seem similar to those in secret sharing Il25l . but our problem is different since we obtain secrecy for all erasure 
probabilities, by leveraging feedbaclo Another problem that is different but bears some similarities, is that of 
broadcast encryption 1261271 . where a group of users receive a common secret message, and the issue is to deal 
with key management when users unsubscribe. 

Outline: The rest of the paper is organized as follows. Section |2] describes the communication and security 
model, Section[3]gives our main result and a simple example. Section |4]formally describes our protocol. Section 
[5] contains the security analysis. Section [6] establishes optimality by proving an impossibility theorem and 
Section |7] concludes by discussing several possible extensions. Detailed proofs are provided in the Appendices. 

2 Problem formulation and system model 

We consider a three party communication setting with one sender (Alice) and two receivers (Bob and Calvin). 
The goal of Alice is to securely send private messages Wi and W2 to Bob and Calvin, such that the receivers 
may not learn each other's messages. 

Alice employs a memoryless erasure broadcast channel defined as follows. The inputs of the channel are 
length L vectors over Fg, which we call sometimes packets. The ith input is denoted by Xi. The ith output of 
the channel seen by Bob is Yi j, while the output seen by Calvin is 12,1- The broadcast channel consists of two 
independent erasure channels towards Bob and Calvin. We denote 5\ the erasure probability of Bob's channel 
and 82 that of Calvin's channel. More precisely. 



where _L is the symbol of an erasure. 

Assumptions: We assume that the receivers send public acknowledgments after each transmission stating 
whether or not they received the transmission correctly. By public we mean that the acknowledgments are 
available not only for Alice but for the other receiver as well0 We assume that some authentication method 
prevents the receivers from forging each other's acknowledgments. Also, we assume that both Bob and Calvin 
only know each other's acknowledgment causally, after they have revealed their own (we justify this in Section|7] 
when we discuss Denial-of-Service attacks). 

Let Si denote the state of the channel in the ith transmission. Si € {B,C,BC,%} corresponding to the 
receptions "Bob only", "Calvin only", "Both" and "None", respectively. Further, S* denotes the state based on 
the acknowledgments sent by Bob and Calvin. If both users report honestly, then Si = S*. We denote as 5* the 
vector that collects all the states up to the ith, i.e., S"^ = [Si . . . Si], and similarly for 5"**. 

Beside the communication capability as described above, all users can securely generate private random- 
ness. We denote by 6>a, 6b and 0c the private random strings Alice, Bob, and Calvin, respectively have access 
to. All parties have perfect knowledge of the communication model. 

' Secret sharing would require tiiat tiie number of erasures of tire adversary is smaller than that of the legitimate receiver. 
In a practical setting, we do not need to actually have a public error- free channel to send the acknowledgments: since these are very 
short packets, we can utilize a sufficiently strong error correcting code and send them through the noisy wireless channels. 



VT{Yi^i,Y2AXi} = VT{Yi^i\Xi}VT{Y2AXi}, 




and 




Y2,i = Xi 

Y2,i 



2.1 Security and reliability requirements 

An (n, e, Ni, N2) scheme sends A^i packets to Bob and N2 to Calvin using n transmissions from Alice with 
error probability smaller than e. Formally: 

Definition 1. An (n, e, A'^i , scheme/or the two user message transmission problem consists of the following 
components: (a) message alphabets Wi = V^^^ and 'W2 = F^^^, (b) encoding maps fi{.), i = 1,2, ... ,n, 
and (c) decoding maps 0i(.) and </>2(-)> such that if the inputs to the channel are 

X, = fi(Wi,W2,OA,S*''^), i = l,2,...,n, (1) 

where Wi S Wi and W2 G W2 are arbitrary messages in their respective alphabets and 0a is the private ran- 
domness Alice has access to, then, provided the receivers acknowledge honestly, their estimates after decoding 
Wi = (^1(^1") and W2 = 02 (^lO satisfy 

Vt{Wi ^Wi} <e, and (2) 
Pr{W2 W2} < e. (3) 

Definition 2. An (n, e, Ni,N2) scheme is said to be secure against honest-but-curious users if in case both re- 
ceivers are honest and the input messages Wi and W2 are independent random variables distributed uniformly 
over their respective alphabets, in addition to conditions ©-([S]! the following two conditions also hold: 

I{Wi;Y^^S^ec) <e (4) 
/(M/2;1^i"5"0b) <e. (5) 

Malicious user: We will say that a user is malicious if the user can (a) select the marginal distribution of the 
other user's message arbitrarily; his own message is assumed to be independent of the other user's message 
and uniformly distributed over his alphabet and the malicious user does not have access to his own message, 
and (b) produce dishonest acknowledgments as a (potentially randomized) function of all the information he 
has access to when producing each acknowledgment (this includes all the packets and the pattern of erasures 
he received up to and including the current packet he is acknowledging and the acknowledgments sent by the 
other user over the public channel up to the previous packet). We allow at most one user to be malicious. 

Definitions. An {n,e, Ni, N2) scheme is said to be secure against a malicious user, if in case one of the 
receivers is malicious (as defined above), the scheme guarantees for the other (honest) receiver decodability 
and security as in definitions \I}and^ That is, if Calvin is the malicious user, ([2]) and (I?]) are satisfied for Bob, 
while if Bob is the malicious user, (12) and dJ]) are satisfied for Calvin. 

Clearly a scheme which is secure against a malicious user is also secure against honest-but-curious users since 
the malicious user may choose the uniform distribution for the other user's message and choose to acknowledge 
truthfully. 

Secret message capacity region: The communication rate Ri towards receiver i expresses the number of 
message Wi bits successfully and securely delivered to receiver i per channel us^ We are interested in char- 
acterizing all rate pairs {Ri, R2) that our channel can support. 

Definition 4. The rate pair {Ri, R2) € is said to be achievable, if for every e, e' > there are Ni and N2 
and a large enough n such that there exists an (n, e, Ni,N2) scheme that is secure against a malicious user 
an^ 

Ri-e < -NiLlog q, R2 - e < -N2L log q. (6) 
n n 

The secret message capacity region IZ C is defined as the set of all achievable rate pairs. 

^ Channel use refers to Alice using tiie cliannel once to send one packet. 
* All logarithms in this paper are to the base 2 unless otherwise specified. 




Fig. 2. Achieved rate region (in bits/packet) by the naive scheme in contrast to the optimal scheme and to the 
capacity region for the message sending problem with no security requirements. For this example 6i = 0.7, 
62 = 0.6, L = 1, q = 2. Translating this region to bits/sec depends on how fast the source can send packets: 
for example, if we operate at the point (Ri = 0.1, R2 = 0.2) and the transmission rate of IMbits/sec that 
IEEE802.11b supports, we would securely send « lOOKbits/sec to Bob and ^ 200Kbits/sec to Calvin. 

3 Main result 



Theorem 1. The secret message capacity region as defined in Definition^is the set of all rate pairs (Ri , i?2) £ 
which satisfy the following two inequalities: 

Riji-h) ^ Ri ^ R2 ... 
HI - S,)il - 5,52) + + - 

- ()2)(1 - C)lC'2j I - did2 1-02 

The first term of these inequalities can be interpreted as the overhead for security, because - as we will see 
soon - it corresponds to the duration of a secret key generation phase. Omitting these terms gives us the ca- 
pacity region for the message transmission problem with two users without any secrecy requirements [2|. The 
difference between these two capacity regions (with and without secrecy requirements) is illustrated in Fig. |2] 
for some specific values of the parameters 5i, 62, L and q. 

We prove Theorem [T] in two steps. First, we provide a protocol in Section |4] and prove in Section |5] that 
this protocol achieves all the rate pairs in the capacity region. The complexity of the scheme is discussed in 
Appendix [A] Then we provide in Section [6] a proof to show that O and ^ are also bounds that are impossible 
to exceed by any protocol (a converse in information-theory parlance). Interestingly, our converse holds even 
for the capacity region defined using the weaker honest-but-curious security definition, i.e., a malicious user 
cannot deteriorate the performance experienced by an honest user. The following simple example illustrates the 
main ideas in our protocol. 



3.1 A simplified example when both receivers are honest-but-curious 

Alice wants to securely send the A^i = 3 message packets Wi = [Wi^i, VFi,2, 1^1,3] to Bob and the A''2 = 3 
message packets W2 = [W2,i, W2,2 , ^^3,2] to Calvin. Both Bob and Calvin are honest and report back truthfully. 
The protocol proceeds as depicted in Table [T] 



Table 1. An example of a simplified protocol when both receivers are honest but curious. 
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Key generation: Alice transmits five random packets Xi , . . . , X5. At the end of this phase, Alice and Bob share 

the two secret key packets Kb,i = Xi and Kb,2 = -^5 that Bob received and Calvin did not. Similarly, Alice 
and Calvin share the secret key packets Kc,i = and Kc,2 = X4. The packet X2 which was received by 
both Bob and Calvin is discarded. 

Message transmission for Bob: We secure Bob's messages with one-time pads and transmit them until either 
Bob or Calvin receive them; we start by sending Xq = VFi 1 © Kb,i, where © denotes addition in F^. 

— Since only Calvin receives Xq, we consider the key Kb,i as consumed (Calvin observed a Unear combination 
of it), and the message Wi^i as undelivered (Bob did not receive anything). We will deal with undeUvered 
messages at the last stage; at this point we proceed to send the new packet = Wi^2 © Kb,2- 

— Since only Bob receives X7, we consider the message Wi^2 as delivered (Bob can retrieve it from X7) and 
the key Kb,2 as unconsumed (it remains secret from Calvin); we can reuse it to send Xs = Wi,3 © Kb,2- 

— Since both Calvin and Bob receive Xs, the message Wi^3 is delivered to Bob and the key Kb,2 is consumed. 
At the end of this phase Bob has received packets Wi^2 and Wi^3 and is missing packet Wi^i. 

Message transmission for Calvin: We similarly make a first attempt to deliver Calvin's message. We assume 
we are less successful than before, and although we consume both keys Kc,i and Kc,2, we only deliver to 
Calvin W2,i. Note that Xio which is not received by any user is simply retransmitted. 

Message transmission for both: To deliver the remaining messages Wi^i, W2,2 and W2,3, we take advantage of 
the fact that Bob already has Xn and Calvin has Xq: we send X13 = Xq © Xn that is maximally useful for 
both. Bob can recover Xq and from this Wi^i, while Calvin can recover Xu and from this W2,2- Note that X13 
brings no information to Bob or Calvin for each other's message. 

Important properties: This simple scheme has the following properties. 

— The number of key packets we set up and consume is smaller than the number of message packets we convey 
per user, because we can reuse certain keys that the adversary did not receive. 

— At the last message transmission phase, we exploit side information users have for each other's message to 
make a single transmission useful to both, without consuming any new key. 

Towards the general protocol: If a node is dishonest he can send fake acknowledgments. Interestingly, we 
can rely on the expected behavior of the channel (and coding techniques) to have no performance loss for the 
honest user. For example, in the key generation phase, if we expect that Calvin will only receive one of the three 



packets Bob successfully receives, we can produce for Bob the keys Kb,i = Xi (BX2 and Kb,2 = X2(BX^ that 
are secure from Calvin no matter which packet he received. Similarly, when we send packets to Bob, assume 
we expect Calvin to receive two of these transmissions - but we do not know which two. We then create three 
linear combinations of Bob's keys, say = Kb,i, = Kb,2, -f^l 3 = Kb^i © Kb,2, and transmit 
Xq = Wi^i K[ ^, X7 = Wi^2 © K[ 2, and Xg = l^i 3 © 3 - no matter which two of these Calvin receives 
we are secure. Our protocol builds on these ideas. 



4 Protocol 

We now describe a (n, e, A'^i, scheme that is secure against a malicious user as in Definition [3j 

Parameters: The operation of the protocol utilizes a set of parameters which we can directly calculate before 
the protocol starts, and whose use we will describe in the following. 



l.^ / ^„ \3/4^ 



Ni , ( iVi N2 , ( N2 .... 

( ^1 V^' ^2 N2 y/^ \ .... 



n = m + n2 + ns + n^. (14) 

Main idea: Using our protocol, Ahce attempts to send A^i message packets Wi = {Wi^i, Wi^2, ■ ■ ■ , Wi^Ni ) to 
Bob and W2 = (^2,1, W2,2, ■ ■ ■ , W2,N2) to Calvin using at most n packet transmissions. She either succeeds 
in sending Wi to Bob or declares an error for Bob. Similarly, she either succeeds in sending W2 to Calvin 
or declares an error for Calvin. We will argue in Section [5] that the failure probability can be made arbitrarily 
small. She proceeds in the following steps. 

I. Key generation. Generation of A;^ shared secret key packets between Alice-Bob and kc secret packets 

between Alice-Calvin using ni transmissions. This step fails if we do not succeed to generate the required 

number of secret key packets. 
II. Message encryption and transmission. She encrypts the messages using the produced keys and reliably 

transmits them to the two receivers. This step fails if we do not manage to deUver all the A^i and N2 

message packets within the prescribed number of transmissions. 



Protocol Description 

Key Generation 

1. Alice transmits rii packets Xi, . . . , She generates these packets uniformly at random from using 
her private randomness, and independently of Wi, W2. 

2. Bob and Calvin acknowledge which packets they have received. If Bob receives less than ki packets we 
declare a protocol error for him. Similarly for Calvin if he receives less than k2 packets. When an error is 
declared for both users, the protocol terminates. If not, we continue with the user not in error, as if the user 
in error did not exist. 



3. Let Xf^ be a L X fci matrix that has as columns the first ki packets that Bob acknowledged. Alice and Bob 
create secret key packets as Kb = X^Gkb^ where Gkb is ^ (^i ^ ^b) matrix and is a parity check 
matrix of an {ki,ki — kB) Maximum Distance Separable (MDS) code |[28l . Kb is a shared key set up 
between Alice and Bob, and consists of fc^ length L packets. 

Similarly, using the first k2 packets that that Calvin acknowledges, Alice and Calvin create kc secret key 
packets. The MDS codes are publicly known and fixed in advance. 



Message encryption and transmission 
Encryption 

4. Alice and Bob produce Ni linear combinations of their kB secret keys as K'^ = KbG^'^, where G^'^ 
is a (/cfi X -/Vi) matrix and is a generator matrix of an (A'^i, A;^) MDS code which is also publicly known. 
Similarly, Alice and Calvin create linear combinations of their kc keys. 

5. Alice creates A^i encrypted messages to send to Bob 

UB,i = Wi,^(BK'B^„ i = l...Ni 

where © is addition in the vector space. Let Ub denote the set of UB,i,i = I, . . . , Ni. She similarly 
produces a set Uc of encrypted messages to send to Calvin 

Uc,^ = W2,^ © K'c^i, i = 1 . . . N2 

Transmissions to Bob 

6. Alice sequentially takes each of the Ub,!, i = I ■ ■ ■ Ni, encrypted packets and repeatedly transmits it, until 
it is acknowledged either by Bob or Calvin. That is, if at time i Alice transmits Xj = Ubj for some j < Ni, 
then 

X„J^" (15) 
\Ubj+i, otherwise . 

7. (a) At the end of 77-2 transmissions of Ub packets, if Bob did not acknowledge A^i(l — Si) /{I — 6162) of 
them, a protocol error is declared for Bob and we move to step 8 below. If Calvin did not acknowledge 
A^i(l — (52)/(l — 6162) packets, an error is declared for Calvin and continue transmitting Ub packets. 

(b) If all the Ub packets are not exhausted before 71-2 + transmissions, we declare a protocol error for 
Bob and proceed to the next step. 

Transmissions to Calvin 

8. Similarly, Alice takes each of the Uc,i, i = 1 . . . N2 packets and repeatedly transmits it, until it is acknowl- 
edged either by Bob or Calvin.That is, if at time i we had Xi = Ucj for some j < N2, then 

-X-i+i = , . (1") 

otherwise. 

9. (a) At the end of 723 transmissions of Uc packets, if Calvin did not acknowledge A'^2(l — '^2)/(l — <^i<^2) 
of them, a protocol error is declared for Calvin and we move to step 10 below. If Bob did not acknowledge 
N2{1 — 5i) / {1 — 8182) packets, we declare an error for Bob and continue transmitting Uc packets. 

(b) If all the Uc packets are not exhausted before 71,3 + 714 transmissions, we declare a protocol error for 
Calvin and proceed to the next step. 

Transmissions to both 




10. At this step, Alice knows the following: 



- At the end of step 6, there may exist some encrypted packets that are acknowledged only by Calvin and 
not by Bob. Assume we have N[ such packets, and denote them as U'q ^, i = 1 . . . N[. 

- Similarly, at the end of step 8, there may exist some N'2 encrypted packets [/^ ^, i = 1 . . . N'2, that only 
Bob has acknowledged and not Calvin. 

Alice proceeds to transmit © combinations of U'^ ■ and C/^ ■ packets. 

- She starts by transmitting U'^-^ 

- If at time i Alice transmits Xj - 
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BC. 



- If Alice first finishes all the N[ packets U'^ j, she continues by transmitting the remaining N2 packets 
until Calvin receives all of them. 

- Similarly if she first finishes all the C/^ ■ packets, she continues with the remaining N[ packets until 
Bob acknowledges them. 

11. If steps 6 and 10 together exceed 722 + n4 transmissions an error is declared for Bob. Similarly, if steps 8 
and 10 take together exceed 713 + 714 transmissions an error is declared for Calvin. In any case, the protocol 
is terminated when the channel has been used for n times. 



5 Analysis 

Theorem 2. For any e, e' > there exists a large enough nfor which the scheme described above is secure 
against a malicious user and achieves ( in the sense 0/ © j any rate pair in the region defined by (O"®- 

Proof. Below, we prove that the above scheme is secure against a malicious user and runs without error with 
high probability. The rate assertion of the theorem follows from a simple numerical evaluation with the given 
parameter values. 



5.1 Security 

In our argument we focus on the secrecy of Wi against a malicious Calvin, but the same reasoning works for 
W2 against a malicious Bob as well. Since we do not intend to give security guarantees to a malicious user and 
consider at most one user to be malicious, we may assume that Bob is honest. Moreover, under our definition 
of malicious user, Wi and W2 are independent and the latter is uniformly distributed over its alphabet, but the 
distribution of Wi is arbitrary and controlled by the malicious Calvin. 

To analyze the secrecy of Wi, we may, without loss of generality, assume that no error was declared for 
Bob during the key generation phase. Recall that an error is declared for Bob only if Bob fails to acknowledge 
at least ki packets. If an error was in fact declared for Bob, no information about Bob's message Wi is ever 
transmitted by Alice0. However, note that we do account for this error event when we analyze the probability 
of error for Bob in the Section IS!2l 

We first show that I {Kb] Y2^S^^) can be made small, i.e., the key generation phase is secure. 

' More precisely, if Bi b is the indicator random variable for an error being declared for Bob in the key generation phase, 

I{Wr, Y^, S", 0c) < /(Wi; Fa", 5", 6>c, £i-b) = /(Wi; Y^", S",0c\Ei^b) < I{Wi; 5", ©cI^^i-b = 0). 



To avoid clutter, we leave out the conditioning event in the rest of this subsection. 



Lemma 1. When Bob is honest and no error is declared for Bob in the key generation phase, 



I{Kb;Y^'S^') < kBe-''^'Llogq, (17) 

ifki = ^ + (^^) '^'^'^ — ^^^f^ ci > is some constant. Moreover, Kb is uniformly distributed 
over its alphabet. 

The key facts we use in proving this lemma are (i) the number of packets seen by Calvin concentrates around 
its mean and (ii) an MDS parity check matrix can be used to perform privacy amplification in the packet erasure 
setting. 

We still need to show that the secrecy condition ^ is satisfied by the scheme even if Calvin controls the 
distribution of Wi . We have 

liWr, Yi'S'^Oc) < I{Wv,Yi^S''ecUc) = I{Wv,Y2^\Y^^'S''0cUc), (18) 

where the last equality used the fact that Oa, W2, 5*" are independent of Wi and we may express 1^2"^ > Uc 
as deterministic functions of 6>a, ©C; W^2, -S'". Let l^j be the indicator random variable for the event that 
Calvin observes the packet U B,i either in its pure form or in a form where the UB,i packet is added with some 
Uc,j packet. Let be the random variable which denotes the number of distinct packets of Ub that Calvin 
observes, so = Yli^=i %• have the following two lemmas: 

Lemma 2. H{Y^\Y^^ S^'OcUc) <E {M^} L log q . 

Lemma 3. H{Y^\WiY:^' S'^OcUc) > E {min {kB,M^) } - I{Kb; Y^'^S""^). 

Using these in ([T8] ). we have 

I{Wi;Y^S^Oc) <E{max{0,M^ -kB)}Llogq + I{KB;Y^'S^'). (19) 

Lemma[T]gives a bound for the second term. We can bound the first term using concentration inequalities. In 
order to do this, let Zba be the number of repetitions of a packet U B,i that Alice makes until Bob acknowledges 
it (where we count both the transmission in pure form and in addition with some packet from Uc)- Note that the 
random variables j are independent of each other and have the same distribution. This follows from the fact 
that the Si sequence is i.i.d., and each Si is independent of (1^2*^' "S"*^^, Oc)- In other words, Calvin can exert 
no control over the channel state. Further, for the same reason, with every repetition the chance that Calvin 
obtains the transmission is 1 — (52- This implies that the indicator random variables 1^ • are i.i.d. with 

Pr {ig^, = 1} = (1 - ^2) + 6162(1 -62) + ... 



1 - <5i<52 



Notice that is a sum of A^i such independent random variables, and hence E {M^} = A^i 1^,5^1^ • Since 

/ 1 c n3/4 

kB = Ni + ( iV"i j , by applying Chernoff-Hoeffding bound we have 

E {max (0, Mf - /cb) } < Ni Pr {M^ > < iVie^^^Vlvr^ (20) 
for a constant C2 > 0. Substituting this together with Lemma [T] in ( fT9l ) we get 

I{Wi;Y^S''Oc) < iVie-"2v^ ^ j^^^-c^Vk^^ 
for constants ci, C2 > 0. By choosing a large enough value of A'^i, we may meet ([Hi. 



Recall from (l9ll-( ll4b that by saying that we choose A^i large enough we cause n to be large enough. 



5.2 Error probability 

We need to bound the probability that an error is declared for Bot|^. An error happens if: 

— Bob receives less than ki packets in the first phase, 

— he does not receive A'^i (1 — Si) /{I — 6162) packets of C/^ in step 7(a), or A^(l — 62) / {I — 6162) packets of 
Uc in step 9(a), 

— he does not receive all the A^i packets of Ub (either in pure form or added with a packet in Uc) before step 
11 intervenes. 

All these error events have the same nature. An error happens if Bob collects significantly fewer packets 
than he is expected to receive in a particular step. The probability of these events can be bounded by applying 
the Chernoff-Hoeffding bound as we did to show the security guarantee (l20l ). The sum of these bounds gives 
an upper bound on the overall error probability of the scheme, which in turn can be made smaller than e by 
choosing A'^i large enough. A straightforward computation using the parameters in (l9l)-(fT4l) shows that Q is 
also satisfied. □ 



6 Impossibility result (converse) 

With Theorem [3] we complete the proof of Theorem [T] Throughout this section we wiU assume that both Bob 
and Calvin are honest. Obviously, an upper bound for this case is a valid upper bound in the case of a maUcious 
user as well. Interestingly, we get the same bounds for the honest-but-curious users' and for the malicious users' 
case. Our proof relies on a few Lemmas which can be found together with their proofs in Appendix ICl 

Theorem 3. For the secret message capacity region as defined in Definition^it holds that: 

62(1 - <5i)(l - 5i52) ^ 1-61 1- 6162 - 
R2il - 61) Ri R2 ^ ^ , 



5i{l - d2){l - 6162) 1-6162 1-62 

Proof. We will prove the first inequality, the second follows from symmetry. We look at Alice's transmissions 
from Bob's perspective and express them in three terms (lITk^-dlTI:) using elementary properties of entropy: 

n n 

nLlogq > nH{Xi) >TH{Xi\Y^-'S'-') = V [H{X,\Yi-'Y^~' S'-') + I{Xi;Y^-'\Yl-' S'-')] 



1=1 i=\ 



E 



H{Xi\Yl-^Yif^S'-^Wx)^l{X,-,Wx\Y{-^Yi-^S'-^)^I{Xi-^^^^ 

^S^^^^^^^^^^^B^ ..^^^^^^^^^^^^ ^^^^^^^^^^^^B^ ..^^^^^^^^^^^V^ ..^^^^^^^^^BiX^ 

(») (&) (c) 



(21) 



Lemmas |4l|7] give lower bounds on each of the three terms in (|2T]) : putting these together results in the stated 
inequality. □ 

Intuition: We now informally interpret the terms in (|2TI) with our protocol (of Section|4]| in mind. Note however 
that the proof provides a general impossibility bound that holds for any scheme that satisfies Definition |4l The 
terms (|2TV)-(|2]1;) classify the information Alice sends during the ith transmission. These terms can also be 
interpreted as balancing key generation and consumption for secrecy, as described below. 

Term (|2TU ) can be interpreted as anything that is not related to Bob's message W\ (and has not been 
seen by either Bob or Calvin). This is lower bounded through Lemmas |6]|7] For example, in our protocol this 
corresponds to a key generation attempt for either Bob or Calvin, or a new encrypted message for Calvin, i.e., 
steps 1 and 8. 



' Note that, under our protocol, if no error is declared for Bob, he will be able to decode W\ . 



Term (l2Tb) is interpreted as an encrypted packet that Alice tries to send to Bob, which has not already been 
received by Calvin. This is lower bounded in Lemma |4l In our protocol this occurs in transmissions directed 
towards Bob only in step 6. 

Term (l2Tb) brings information that Calvin has already seen during previous transmissions, but Bob has not 
seen. This is lower bounded in Lemma|5] In our protocol this would correspond to transmissions in step 10. 



7 Extensions and discussion 



We showed that it is possible to provide unconditional security guarantees while wirelessly broadcasting two 
private messages; we characterized all possible transmission rate pairs for the private messages, and showed we 
can achieve these using a simple protocol that efficiently generates and utilizes an appropriate amount of key. 
We conclude our paper with several natural extensions and some open questions. 

Practical deployment: Our protocol has low complexity (see Appendix A) and does not require changing the 
physical layer transceivers of the three users; it is thus attractive for a potential system deployment. Although 
we only claim optimality under the modeling assumptions of Section |2j we believe such a system could enable 
operation at high secret message rates (for the parameters in Fig.|2j of the order of lOOKbits/sec per user), using 
channel conditioning techniques of [9 10 1. 

Common message: Assume that besides the private messages, we also have a common message Wc (and 
corresponding rate Rc) that we want to deliver to both Bob and Calvin. Our protocol and the converse proof 
can be easily extended to cover this case. The capacity region becomes 



max 



Ri{l-S2) R2{l-Si] 



S2{1 - - 6162) ' <5i(l - 62){l - 6162) 



( Ri + Rc R2 Ri R2 + Rc\ , 

where the second term is the known bound for (not-secure) message sending [2], while the first term corresponds 
to the overhead of key generation, same as before. 

Partially secret messages: Another natural extension is to keep secret only one part of the private message to 
each user; that is, we have Wi = {W{, Wl'), W2 = {W2, W2) with a secrecy requirement only for W[ and 
Accordingly, Ri = R[ + R'I, R2 = R2 + R2- Assuming the messages are independent and W[', W2 are 
uniformly distributed over their alphabets, our results easily extends to this case, with capacity region 

[ R'lil-S2) ^2(1 -'^l) R2_ n 

™\(52(l-<5i)(l-<5i(52) 1 - 6162' 5i{l - 62){1 - 6i52) 1-6162' 

( Ri + Rc R2 Ri R2 + Rc\ , 

Correlated erasures: Our results extend to arbitrary correlation between the erasure patterns, as long as the 
distribution is known a-priori. Both the protocol and the converse can be modified to characterize the secure 
transmission rates for this case. The resulting capacity region depends on the joint distribution. 
Strengthening the malicious user: Our security guarantees assume that the malicious user may choose the 
marginal distribution of the other user's message, but his own message is assumed to be independent and 
uniformly distributed over its alphabet; moreover, he can only learn his message through the channel outputs 
he receives. A stronger malicious user could choose the joint distribution of the messages (and may also have 
access to his own message). Even under this stronger security definition, it is not hard to see we can achieve 
nonzero rates (e.g., by two instantiations of our protocol, first for Bob with R2 set to and then for Calvin with 
Ri set to 0), however we conjecture that the capacity region is in general smaller than what we derived here. 
Denial-of-Service (DoS) attacks: We leave the question open if the malicious user launches denial-of-service 
attacks (outside of what our current model allows); however, in general such attacks can be deterred by ensuring 
they reveal who the attacker is. As an example, in the key generation phase of our protocol, we assumed that 



Bob & Calvin cannot learn the other's feedback before sending their own. This assumption stops a malicious 
Bob from acknowledging the exact same packets as Calvin which would lead to protocol failure for Calvin and 
a DoS attack. In practice, for half the ACKs, we can ask Bob to send them first before Calvin, and for the other 
half Calvin to send them first before Bob, and thus identify users attempting such attacks. In this category are 
also attacks that attempt to (partially) control the channel, for example through physical layer jamming, where 
we can resort to physical layer techniques to find the jammer's real location. 
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A Complexity considerations 

It is clear from the analysis in Section [5] that the length n of the scheme grows as max{(9(log^(^), 0(^)}, 
where e is the security and probability of error parameter, and e' is the gap parameter associated with the rate 
(see Definition |4l). The algorithmic complexity is quadratic in n; quadratic from the matrix multiplication to 
produce the key. 

Also, for the proposed scheme, the size (entropy in bits) of Oa is linear in n and no private randomness is 
needed at Bob and Calvin. For a malicious user, we allow unlimited amount of private randomness. 



Table 2. Summary of notation 



Xi,Yi^i,Y2.i The zth input and outputs of the channel 

Si , S* The actual and the acknowledged zth state of the channel 

Si , S2 Erasure probabilities of Bob's and Calvin's channel 

Wi, W2 Private messages for Bob and Calvin 

Kb , Kc Shared keys between Alice-Bob, Alice-Calvin 

Kg , K'q Keys used for encryption, dependent linear combinations of packets in Kb (or Kc) 

Ub , Uc Encrypted messages of Bob and Calvin 

L Size of a packet in terms of symbols 

iVi , iV2 Size of Wi and W2 (in packets) 

R\ , R2 Secret message rates for Bob and Calvin 

Oa ,0b, Oc Private randomness of Alice, Bob and Calvin 

kB , kc Size of the keys Kb and Kc (in packets) 

Vi ith element of any vector V 

V First i elements of any vector V, i.e., (Vi, V2, ■ . .Vi) 



B Proof of lemmas in Section |5] 

Lemma 1. When Bob is honest and no error is declared for Bob in the key generation phase, 



I{Kb;Y^'S''^) < kBe-^'^/^'Llogq 



(24) 



if ki = ^ + ^^^^^ '^'^'^ > j^, where ci is some constant. Moreover, Kb is uniformly distributed 
over its alphabet. 

Proof. With a slight abuse of notation, in the following Xf^ will denote the actual packets Calvin received 
(not necessarily the same as those that he acknowledges) out of the first ki packets Bob received. Note that 
here we assume that an error was not declared for Bob in the key generation phase and hence Bob did receive 
at least ki packets in the key generation phase. Also let X^^ be the packets seen only by Bob among the first 
ki he receives. Let 1^0 and Ibc be the index sets corresponding to X^^ and Xf^. Recall that X^ denotes the 
first ki packets received by Bob. The notation Af ^ will denote a matrix M restricted to the columns defined by 
index set /. Given this, 

I{Kb;Y^'S''^) = I{XfGKB;Xf''S^) 

= H{X^Gkb) ~ H{X^Gkb\Xi'^' S"') 

= kBL log q - H{X^Gkb l^f ^5") 

= kBL log q - H{ [xfG'^l X^^'G'j^^] |Xf ^5") 

= kBL log q - H{xfG'^l |Xf ^5") 

= kBL\ogq-H{xfG'^l\S^), 

where the third equality follows from the MDS property of the matrix Gkb ■ Using the same property, we have 

fcl 

HiX^'^G'jf'JSn = ^min{i,A:B}LloggPr {|Xf®| = i] 

1=0 

> kBLlogq PrjlXf^l = i} = fesLloggPr ||Xf ®| > A;b} 

i=fcB 



fcBLlogg(l-Pr{|Xf®| < fc^}) 



= kBLlogq{l^Fr{\Xf^\>ki-kB}) 
>kBLlogq(l-Pi{\X^^\ > (1 - (52)A:i + fei^/^}) 
> ksLlogq (l - Pr {llXf^l - E [\Xf^\] \ > k,'f'}) , 

where the inequaUty (a) follows from the fact that the conditions on ks and ki imply that 

ki-kB>{l- d2)ki + ki^/^. 

The Chemoff-Hoeffding bound gives that for some constant ci > 

Pr{||Xf^|-£;[|Xf^|]| >A:i3/4} <e-^iv^. 

So, we have that 

I(i^i3;y"i5") < kBLlogqe-"^^ . (25) 

The final assertion of the lemma is a simple consequence of the MDS property of the code and the fact that 
X"-^ are i.i.d. uniform. □ 

Lemma 2. 

H{Y^\Y:^'^S''OcUc) <E{MB}Llogg. 

Proof. Let be a vector of length A'^i such that the i-th element U'j^ ^ is Ub.i if Calvin observes this C/^ j 
either in the pure form or added with some element of Uc, and U'^ ■ =_L otherwise. Let 1^ ■ is the indicator 
random variable for the event U^^ 7^ ±. It is easy to see that the following are information equivalent {i.e., we 
can express each side as a deterministic function of the other) 

(IT, 5", ©c, Uc) ^ (UE, Y^^ , 5", 0c, Uc). 

Therefore, 

H{Y^S^GcUc) = H{U^Y;''S''9cUc). 
H{Y^\Y^'S''0cUc) = H{U^\Y^'S''0cUc) 

= Y,H{UB,i\U^'-'Y^'S^ecUc) 

i=l 

= J2H{uE,i\i%,iU^'-%^'s^ecUc) 
1=1 

<j:H{uEMi) 

i=l 

<5^(Llogg)Pr{lg,, = l} 

1=1 

= E|^lg,,|(Llog(?). 

where the third equality follows from the fact that the indicator random variable Ig ^ is a deterministic function 
of the conditioning random variables. 

□ 



Lemma 3. 



H{Y^\WiY^'S^GcUc) > E {min {ke, M^) } L log g - I{Kb; Y^'S'''). 

Proof. We adopt the notation for and 1^ ■ introduced in the proof of Lemma |2l In addition, let K'']^ be 
defined in a similar manner as such that K'^ ^ =1. if Uj^^ =± and j = K'B,i otherwise. Also, let 1^ 
be the vector of indicator random variables 1^ ■, j = 1, . . . , Ni. 
Proceeding as in the proof of Lemma |2j we have 

HiY^lWiY^^S^'OcUc) = H{U§\WiY^'S''OcUc) 

= H{K'%\WiY^'S^ecUc) 
>H{K'%\l%WiY^'S''ecUc) 
= H{K'%\1%) - I{K'%-WiY^^S^ecUc\l%) 

But, from the MDS property of Gx'^, and the fact that Kb is uniformly distributed over its alphabet, we have 

= J^min(i, kB) Pr | ^ ig,, = i i Llogg 
i=i I j=i I 



E<^min A:b,> ig, Ulog*?. 



Also, 



< i{k'b1b;Y2'S''') 

< liKB-^Y^'S"^^). 

where (a) follows from the fact that the distribution of W2 (uniform and independent of S", ©a, 0c) implies 
that Uc is independent of (9a, 5"* and using this we can argue that the following is Markov chain 

K''i-{l%,Y^\S^^)-{Wuec,Uc). 
Substituting back we have the lemma. □ 



C Proof of Lemmas W\ 

First we give a bound on (l2Tb). The first lemma expresses that Alice has to send sufficient information of 
message Wi such that the Bob and Calvin together (in fact Bob himself also) can reconstruct it despite of 
erasures. 

Lemma 4. From conditions (|7])-(|21) it follows that 

n p 

Y,i{x,,w,\Yi^Yi^s^-^) > Y^^-£i 



i=l 



where £1 = 



Proof. 

n 

nRi -£i{l- 6162) < I(n"y2"^"; Wi) = I{YliY2^Si■, Wi\Yl-'Yt' S'-') 

1=1 

n n 

= Y,I{YiiY2i;W,\Yi-'Yt'S'-'S,) = ^ /(y^ysi; ^il^^'^^r''?'"', ^ 0)Pr{5i / 0} 
1=1 1=1 

n 

= Y,I{X^■,Wl\Y^~'Y^-'S'-'){l - 6i52) 



i=l 



Here, the first inequality is Fano's inequality II29II (Chapter 2). Besides, we exploited the independence property 
of Si. □ 

Lemma 5. From conditions (12])-(121) it follows that 



2_^I{X,,Y^ \Y, S ) > ^—^^^^—^ - 

whereas = '^^^^'1+'^^'°^" . 



l-Si 

Proof. From Lemma |9] 



1-^1 

1=1 



n 



= Y.^Xi-^'^ilYfYt'S'-^) + /(^i;l^r'|i^r'5^"') - IiXi;Yt'\Yi~'S'-^Wi) 
1=1 

< 5^ /(XisT^i I y/-iyr 15-^-1 ) + I{Xf,Yt^\Yl-'S'-^) 



< 



i=l 

nRi 



1-^1^2 . , 
1=1 



Y,HX^■,Yt'\Yr'S'-') (26) 



To get (l26l) we used Lemma [S] □ 
Lemma|6]can be interpreted as the connection between the generation and consumption of the randomness 
Bob knows but Calvin doesn't. 

Lemma 6. From conditions (|7])-(|21) it follows that 

J2H{X,\Yl-'Yt'S'-'Wi) > A__lLYi(^Xi;Yl-'\Y^-'S'-'Wi) 

i=l 2 

Proof. 

< H{Y{'S"\Y^S'^Wi) = H{Y;'-^S"-^\Y^S''Wi) + H{YinSn\Y{"^Y2''S"Wi) 
= H{Yl'-^S''-^\Y^-^S''-^Wi) - I{Yl'-^S''-^;Y2nSn\Y^''^S''-^Wi) + H {YmlY-l^'^Y^ S'^Wi) 
= H{Yl'-^S''-^\Y^-^S''-^Wi) - liYl'-^S''-^; 
= H{Yl'-^S''-^\Y^-^S''-^Wi) - /(y/*-^5"-^ 

+ HiYi^lY^^-^^S^'-'Wu Sn = B) Pr{5„ = B} 

+ HiYir^Y^-^Y^S^'-^Wi, Sn = BC) Pr{5„ = BC} 



Y2n\Y;'-^S''-^SnWi) + H{Yin\Y^^-^Y^S''Wi] 
Y2n\Y^-^S''-^Wi, C C Sn) Pr{C C Sn] 



+ H{Xn\Y,^-%^-^S''-^Wi)(l - 61)62 + H{Xn\Yr%^~'XnS''~'Wi){l - - 62) 
= H{Y{'-^S''-^\Y^-^S''-^Wi) - I{Y{'-^S''-^;Xn\Y^-^S''-^Wi){l - 62) 
+ H{Xn\Y{'-^Y^'-^S''-^Wi){l - 61)62 

We do the same steps recursively to obtain the statement of the lemma. □ 
Lemma 7. From the conditions (I7])-(121) it also follows that 

T(Y -Vi-hV'-^^i-^W \ ^ F ^ nfii nR262{l-6i) 

^m,Y, \Y, S W,) + £,>^-^^ + 
1=1 

Proof. From Lemma [TOl 

n 

£3>J2HX^-^Wi\Yt'S'-') 

i=l 

n 

= Y,H{X,\Yt^S'-^) - H{Xi\Y^-^S'-^Wi) 

i=l 
n 

= Y,H{Xi\Yi-'^Yt'^S'~^)+I{Xi;Yi-^\Yt^S''^) - H{Xi\Yt^ S'~^Wi) 

i=l 
n 

= ^H{Xi\Yi-^Yt^S'~^Wi) - H{Xi\Yt^S'-^Wi) 

i=l 

+ I{Xi; WilYfYt'S'-^) + IiX,;Yi-'\Yt'S'-') 

n 



= ^-I{Xi;Yl-^\Yt^S''^Wi) + I{Xi]Wi\Yi-^Yt^S'-^) + I{Xi;Yi-'^\Yt^S'-'^) 

i=l 

From Lemma 1 , 

j2m;w,\Yr'Yr's'^-') > -^^-£,. 

Further, a symmetric result to Lemma[5]shows: 

^I{X,.Y^ \Y^ S ) > ^ - 



1=1 



where £"4 = ^'^^^ '^^Js^^"^'^ ■ '^PP^yi'^S these bounds results the statement of the lemma, with £5 = S3 + Si + S4. 

□ 

Lemma 8. From conditions (|7])-(|21) it follows that 

nRi 



1-6162 . ^ 
1=1 



>Y,I{X^;W^\Yi-^Yt^S'-^] 



Proof. 

n 

nRi > H{Wi) > /(yi"y2"'5";^i) = Y.I{YuY2iSi;Wi\Yt'Y^~'S'-') 

1=1 

n n 

= Y,HYiiY2i;Wi\Yt'Yt'S'-'S,) = Y,HYiiY2i;Wi\Yl-'Yt'S'-\Si + 0)Pr{5i + 0} 
1=1 1=1 

n 

= Y,l{Xi-W^\Yl^Yl-^S'-^){\-b^82) 



We used the same properties as before. 

With the same type of argument that we used to prove LemmaHl we can show also the following: 

Lemma 9. From conditions di]'-© it follows that 

j2l{X,,W,\Yl-'S^-')>^-£2. 
i=i ^ 

Lemma 10. From the security condition d?]) it follows that 

n 

£^>Y,l(Xi;W^\Y^-^S'-^), 
1=1 

where £3 = 

Proof. From we have that 

n n 

e > I{Y2^S^9c;W,) > /(Fa^^'^; Wi) =Y,IiWi;Y2^Si\Yt'S'-') = Y,IiY2i;Wi\Yt'S'-'Si[ 

i=l i=l 

n 

= Y,HY2i;Wi\Y^-'S'-\C C 5,)Pr{C C S,} 

i=l 

n n 

= Y,nx^;Wl\Y^'^S'-\C cS,){l-52)= Y,nx^■,W^\Yl^S'-^){l-52) 



